Re: [Acme] tls-sni-01 validation compromise

Martin Thomson <martin.thomson@gmail.com> Fri, 22 January 2016 03:03 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B61A1B36DE for <acme@ietfa.amsl.com>; Thu, 21 Jan 2016 19:03:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRK5EYdE-wdS for <acme@ietfa.amsl.com>; Thu, 21 Jan 2016 19:03:02 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C36D1B36D7 for <acme@ietf.org>; Thu, 21 Jan 2016 19:03:02 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id 77so75210625ioc.2 for <acme@ietf.org>; Thu, 21 Jan 2016 19:03:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FMtCJLpHZWdzTrDttO0zwejj9wBn0vu3HfXzurqRXFY=; b=DSAmUcaIZgeC3zVUvdZMOlhHCdYIivwy+afo2yX6rQRe+mEDEVlDDNUqxawfiMfywn EehkQ8oQwC6x/0CZ1xRi9UbH/BBS/fWEt8hi0JQVOpTN4ZuhJVQ051uYVe1ZOzipnbRp APvp999YFFhBBvkW1poErWhMvAtLESEzsolDH5i7SdFzV3T143sszjoGVKFy1V7IdIio dCKjhX/DMvQGPsWIsp967CVCwNzVob8CmH3bpFk5iOcE7WaYMLRKWQOVbEGo1M5QCXYE U4MeJRKc/VzzAiQuZILilkp2TZH9vMzx5SrZpMhUZv5I9bEW6/g5cGSV93PjZ1XkVbRW KF3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FMtCJLpHZWdzTrDttO0zwejj9wBn0vu3HfXzurqRXFY=; b=To8EoWNk2gtxadHPUiNbADvN5D+QU7ny3NJjmf1vOTLy1QcUKItE1BSi1JT7NMNTxA VB0BTQK96+6gy/AC+bMM2lsy8mbM5zrLNPdhItbMx7xWwBhJo4hQtag9HN10ht4mPuAy elFyTMyVcXO6geMTlsD4IYOZabXyAImUDtpqS5HVUpVwHK+CmO+VajsaDdFZU2hrJYto XsWZjuzebwxvK3YVjrv0ylvTpz0020dwNaSiKt8lPzgcJ/5VBMkXymu7xNNiTM0FBnnK CNbM4Y4OWPC0WBxgYaOMb+xd7rkXueYcTIme6WEFIw/+SjKB0uLuJB/+1c2ZlfNyiiUQ 0ccw==
X-Gm-Message-State: AG10YORsiJX1Mog+AUH6jv/Q1USoTX94xzse+jylLTUy1+SuWYdR+lZry0kCS3t66txBqfUYt1z+yGd/81SuZw==
MIME-Version: 1.0
X-Received: by 10.107.33.12 with SMTP id h12mr1215149ioh.108.1453431782011; Thu, 21 Jan 2016 19:03:02 -0800 (PST)
Received: by 10.36.149.130 with HTTP; Thu, 21 Jan 2016 19:03:01 -0800 (PST)
In-Reply-To: <CAES3dxRZ7ieQ+G0Zv0oZmehUFPGU36KUdvrkSL+MMLSQWbP08w@mail.gmail.com>
References: <CAES3dxRZ7ieQ+G0Zv0oZmehUFPGU36KUdvrkSL+MMLSQWbP08w@mail.gmail.com>
Date: Fri, 22 Jan 2016 14:03:01 +1100
Message-ID: <CABkgnnVMDFnz3EARBBw=OhnHo3USsJo4ynpBCrca_Df6XGDSeQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Jehiah Czebotar <jehiah@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/JK5ARGG7Gy02QlLyQ65G-H6PjXY>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] tls-sni-01 validation compromise
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 03:03:04 -0000

On 22 January 2016 at 13:38, Jehiah Czebotar <jehiah@gmail.com> wrote:
> 1) Change the requirement that the self signed cert have one DNSName,
> and require the response to have TWO DNS names. One that matches the
> requested hostname, and a second that is secret which proves it can
> only be created by the appropriate party initiating validation
> 2) Remove reliance on SNI matching, and make the challenge `tls-01`
> and fulfill the same HTTP response requirements as `http-01` where the
> Hostname, and request path are untrusted, but the response body with
> full keyAuthorization proves the connection to the requestor. This
> opens up the possibility of TLS validation against the $domain being
> validated instead of relying on a .acme.invalid hostname.

I think that the suggestion that the challenge response include
something unique to the challenge (as http-01 already does) is a fine
suggestion.  I don't think that it matters much how that is done.  If
the intent is to verify that the requester exercises control over the
TLS server, having this restricted to things that are part of the TLS
server configuration is probably advisable.

To that end, adding a key authorization to the certificate would seem
to be the best option.  Whether that is done as a second
subjectAltName or as a separate extension probably doesn't matter
much.

Following through with a challenge like http-01 would work, but it
means playing with the configuration of the server in two places.